forked from pool/libsepol
Accepting request 904153 from home:jsegitz:branches:security:SELinux
- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965). Added CVE-2021-36085.patch - Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964). Added CVE-2021-36086.patch OBS-URL: https://build.opensuse.org/request/show/904153 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libsepol?expand=0&rev=87
This commit is contained in:
Johannes Segitz
Git OBS Bridge
parent
d9c6b82ffe
commit
d28af01c4e
33
CVE-2021-36085.patch
Normal file
33
CVE-2021-36085.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
|
||||||
|
From: James Carter <jwcart2@gmail.com>
|
||||||
|
Date: Thu, 8 Apr 2021 13:32:04 -0400
|
||||||
|
Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
|
||||||
|
|
||||||
|
Map perms share the same struct as regular perms, but only the
|
||||||
|
map perms use the classperms field. This field is a pointer to a
|
||||||
|
list of classperms that is created and added to when resolving
|
||||||
|
classmapping rules, so the map permission doesn't own any of the
|
||||||
|
data in the list and this list should be destroyed when the AST is
|
||||||
|
reset.
|
||||||
|
|
||||||
|
When resetting a perm, destroy the classperms list without destroying
|
||||||
|
the data in the list.
|
||||||
|
|
||||||
|
Signed-off-by: James Carter <jwcart2@gmail.com>
|
||||||
|
---
|
||||||
|
libsepol/cil/src/cil_reset_ast.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
Index: libsepol/libsepol-3.2/cil/src/cil_reset_ast.c
|
||||||
|
===================================================================
|
||||||
|
--- libsepol.orig/libsepol-3.2/cil/src/cil_reset_ast.c
|
||||||
|
+++ libsepol/libsepol-3.2/cil/src/cil_reset_ast.c
|
||||||
|
@@ -36,7 +36,7 @@ static void cil_reset_class(struct cil_c
|
||||||
|
|
||||||
|
static void cil_reset_perm(struct cil_perm *perm)
|
||||||
|
{
|
||||||
|
- cil_reset_classperms_list(perm->classperms);
|
||||||
|
+ cil_list_destroy(&perm->classperms, CIL_FALSE);
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline void cil_reset_classperms(struct cil_classperms *cp)
|
||||||
39
CVE-2021-36086.patch
Normal file
39
CVE-2021-36086.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From c49a8ea09501ad66e799ea41b8154b6770fec2c8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: James Carter <jwcart2@gmail.com>
|
||||||
|
Date: Thu, 8 Apr 2021 13:32:06 -0400
|
||||||
|
Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset
|
||||||
|
classpermission
|
||||||
|
|
||||||
|
In struct cil_classperms_set, the set field is a pointer to a
|
||||||
|
struct cil_classpermission which is looked up in the symbol table.
|
||||||
|
Since the cil_classperms_set does not create the cil_classpermission,
|
||||||
|
it should not reset it.
|
||||||
|
|
||||||
|
Set the set field to NULL instead of resetting the classpermission
|
||||||
|
that it points to.
|
||||||
|
|
||||||
|
Signed-off-by: James Carter <jwcart2@gmail.com>
|
||||||
|
---
|
||||||
|
libsepol/cil/src/cil_reset_ast.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
|
||||||
|
index 89f91e56..1d9ca704 100644
|
||||||
|
--- a/libsepol/cil/src/cil_reset_ast.c
|
||||||
|
+++ b/libsepol/cil/src/cil_reset_ast.c
|
||||||
|
@@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp)
|
||||||
|
|
||||||
|
static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
|
||||||
|
{
|
||||||
|
- cil_reset_classpermission(cp_set->set);
|
||||||
|
+ if (cp_set == NULL) {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ cp_set->set = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline void cil_reset_classperms_list(struct cil_list *cp_list)
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
||||||
@ -1,3 +1,11 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jul 5 11:31:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||||
|
|
||||||
|
- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965).
|
||||||
|
Added CVE-2021-36085.patch
|
||||||
|
- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964).
|
||||||
|
Added CVE-2021-36086.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Mar 9 09:11:42 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
Tue Mar 9 09:11:42 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||||
|
|
||||||
|
|||||||
@ -27,6 +27,9 @@ Group: Development/Libraries/C and C++
|
|||||||
URL: https://github.com/SELinuxProject/selinux/wiki/Releases
|
URL: https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||||
Source: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
|
Source: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
|
||||||
Source2: baselibs.conf
|
Source2: baselibs.conf
|
||||||
|
# all upstream, remove in next version
|
||||||
|
Patch0: CVE-2021-36085.patch
|
||||||
|
Patch1: CVE-2021-36086.patch
|
||||||
BuildRequires: flex
|
BuildRequires: flex
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
@ -88,6 +91,7 @@ policies.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%autopatch -p2
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%define _lto_cflags %{nil}
|
%define _lto_cflags %{nil}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user